Cumulus Linux 3.6 Release Notes
These release notes support Cumulus Linux 3.6.0, 3.6.1, and 3.6.2 and describe currently available features and known issues.
Stay up to Date
- Subscribe to our product bulletin mailing list to receive important announcements and updates about issues that arise in our products.
- Subscribe to our security announcement mailing list to receive alerts whenever we update our software for security issues.
What’s New in Cumulus Linux 3.6.2
Cumulus Linux 3.6.2 contains the following new features, platforms, and improvements:
- Facebook Voyager (DWDM) (100G Tomahawk) now generally available
- NCLU commands available for configuring traditional mode bridges
- VRF static route leaking with EVPN symmetric routing
- New vrf_route_leak_enable option used to enable VRF route leaking
What’s New in Cumulus Linux 3.6.2
Cumulus Linux 3.6.1 contains bug fixes and security fixes.
What’s New in Cumulus Linux 3.6.0
Cumulus Linux 3.6.0 contains a number of new platforms, features and improvements:
- New platforms include:
- Dell S4128T-ON (10GBASE-T Maverick)
- Dell S5048-ON (25G Tomahawk+)
- Delta AG-5648v1 (25G Tomahawk+)
- Edgecore AS7312-54XS (Tomahawk+)
- Facebook Voyager (100G Tomahawk/DWDM) Early Access
- Penguin Arctica 1600CS (100G Spectrum)
- Penguin Arctica 3200CS (100G Spectrum)
- Penguin Arctica 4808X (10G Spectrum)
- Policy-based routing
- VRF route leaking
- PTP boundary clock on Mellanox switches
- GRE tunneling on Mellanox switches
- New ports.conf file validator finds syntax errors and provides a reason for each invalid line. Error messages are shown when you run the
net commit
command. - Support for the combination of the
local-as
andallowas-in
commands - OSPFv3 enhancements:
- Validated interoperability with other routers at a scale of 120 neighbors
- New NCLU commands to configure OSPFv3
- EVPN Enhancements:
- Cumulus Linux 3.6 is the last release to support Quanta IX2 (25G Tomahawk)
Licensing
Cumulus Linux is licensed on a per-instance basis. Each network system is fully operational, enabling any capability to be utilized on the switch with the exception of forwarding on switch panel ports. Only eth0 and console ports are activated on an un-licensed instance of Cumulus Linux. Enabling front panel ports requires a license.
You should have received a license key from Cumulus Networks or an authorized reseller. To install the license, read the Quick Start Guide.
Installing Version 3.6
If you are upgrading from version 3.0.0 or later, use apt-get to update the software.
Cumulus Networks recommends you use the -E
option with sudo
whenever
you run any apt-get
command. This option preserves your environment
variables, such as HTTP proxies, before you install new packages or
upgrade your distribution.
Retrieve the new version packages:
cumulus@switch:~$ sudo -E apt-get update
If you are using any early access features from an older release, remove them with:
cumulus@switch:~$ sudo -E apt-get remove EA_PACKAGENAME
Upgrade the release:
cumulus@switch:~$ sudo -E apt-get upgrade
To include additional Cumulus Linux packages not present in your current version, run the command:
cumulus@switch:~$ apt-get install nclu hostapd python-cumulus-restapi linuxptp
If you already have the latest version of a package installed, you see messages similar to:
nclu is already the newest version
. You might also see additional packages being installed due to dependencies.Reboot the switch:
cumulus@switch:~$ sudo reboot
If you see errors for expired GPG keys that prevent you from upgrading packages when upgrading to Cumulus Linux 3.6 from 3.5.1 or earlier, follow the steps in Upgrading Expired GPG Keys.
In Cumulus Linux 3.6.0, the upgrade process has changed. During an upgrade to 3.6.0 from 3.5 or earlier, certain services might be stopped. These services are not restarted until after the switch reboots, which results in some functionality being lost during the upgrade process.
During the upgrade, you will see messages similar to the following:
/usr/sbin/policy-rc.d returned 101, not running 'stop switchd.service'
/usr/sbin/policy-rc.d returned 101, not running 'start switchd.service'
At the end of the upgrade, if a reboot is required, you see the following message:
*** Caution: Service restart prior to reboot could cause unpredictable behavior
*** System reboot required ***
Do not restart services manually until after rebooting, or services will fail.
For upgrades post 3.6.0, if no reboot is required after the upgrade completes, the upgrade will stop and restart all upgraded services and will log messages in the /var/log/syslog
file similar to the ones shown below. (In the examples below, only the frr
package was upgraded.)
Policy: Service frr.service action stop postponed
Policy: Service frr.service action start postponed
Policy: Restarting services: frr.service
Policy: Finished restarting services
Policy: Removed /usr/sbin/policy-rc.d
Policy: Upgrade is finished
For additional information about upgrading, see Upgrading Cumulus Linux.
New Install or Upgrading from Versions Older than 3.0.0
If you are upgrading from a version older than 3.0.0, or installing Cumulus Linux for the first time, download the Cumulus Linux 3.6.0 installer for Broadcom or Mellanox switches from the Cumulus Networks website, then use ONIE to perform a complete install, following the instructions in the Quick Start Guide.
This method is destructive; any configuration files on the switch are not saved; copy them to a different server before upgrading via ONIE.
After you install, run apt-get update
, then apt-get upgrade
on your switch to make sure you update Cumulus Linux to include any important or other package updates.
Updating a Deployment that Has MLAG Configured
If you are using MLAG to dual connect two switches in your environment, and those switches are still running Cumulus Linux 2.5 ESR or any other release earlier than 3.0.0, the switches will not be dual-connected after you upgrade the first switch. To ensure a smooth upgrade, follow these steps:
Disable
clagd
in the/etc/network/interfaces
file (setclagd-enable
to no), then restart theswitchd
, networking, and FRR services.cumulus@switch:~$ sudo systemctl restart switchd.service cumulus@switch:~$ sudo systemctl restart networking.service cumulus@switch:~$ sudo systemctl restart frr.service
If you are using BGP, notify the BGP neighbors that the switch is going down:
cumulus@switch:~$ sudo vtysh -c "config t" -c "router bgp" -c "neighbor X.X.X.X shutdown"
Stop the Quagga (if upgrading from a version earlier than 3.2.0) or FRR service (if upgrading from version 3.2.0 or later):
cumulus@switch:~$ sudo systemctl stop [quagga|frr].service
Bring down all the front panel ports:
cumulus@switch:~$ sudo ip link set swp<#> down
Run
cl-img-select -fr
to boot the switch in the secondary role into ONIE, then reboot the switch.Install Cumulus Linux 3.6 onto the secondary switch using ONIE. At this time, all traffic is going to the switch in the primary role.
After the install, copy the license file and all the configuration files you backed up, then restart the
switchd
, networking, and Quagga services. All traffic is still going to the primary switch.cumulus@switch:~$ sudo systemctl restart switchd.service cumulus@switch:~$ sudo systemctl restart networking.service cumulus@switch:~$ sudo systemctl restart quagga.service
Run
cl-img-select -fr
to boot the switch in the primary role into ONIE, then reboot the switch. Now, all traffic is going to the switch in the secondary role that you just upgraded to version 3.6.Install Cumulus Linux 3.6 onto the primary switch using ONIE.
After the install, copy the license file and all the configuration files you backed up.
Follow the steps for upgrading from Quagga to FRRouting.
Enable
clagd
again in the/etc/network/interfaces
file (setclagd-enable
to yes), then runifreload -a
.cumulus@switch:~$ sudo ifreload -a
Bring up all the front panel ports:
cumulus@switch:~$ sudo ip link set swp<#> up
Now the two switches are dual-connected again and traffic flows to both switches.
Perl, Python and BDB Modules
Any Perl scripts that use the DB_File
module or Python scripts that use the bsddb
module won’t run under Cumulus Linux 3.6.
Issues Fixed in Cumulus Linux 3.6.2
The following is a list of issues fixed in Cumulus Linux 3.6.2 from earlier versions of Cumulus Linux.
Release Note ID | Summary | Description |
---|---|---|
RN-763 (CM-16139) | OSPFv3 does not handle ECMP properly | IPv6 ECMP is not working as expected in OSPFv3. This issue is fixed in Cumulus Linux 3.6.2. |
RN-799 (CM-16493) | No way to configure IPv6 link-local addrgenmode using ifupdown2 or NCLU | You cannot use NCLU or To work around this limitation, you can use the following
Note: This command does not persist across a reboot of the switch. This issue is fixed in Cumulus Linux 3.6.2. |
RN-827 (CM-14300) | cl-acltool counters for implicit accept do not work for IPv4 on management (ethX) interfaces | The iptables are not counting against the default INPUT chain rule for packets ingressing ethX interfaces. This issue is fixed in Cumulus Linux 3.6.2. |
RN-875 (CM-20779) | On Mellanox switches, withdrawal of one ECMP next-hop results in the neighbor entry for that next hop to be missing from hardware | On a Mellanox switch, when you withdraw one ECMP next hop, the neighbor entry for that next hop is missing from the hardware. To work around this issue, manually delete the ARP entry from kernel with the This issue is fixed in Cumulus Linux 3.6.2. |
RN-880 (CM-20672) | In Mellanox buffer monitoring, packet statistics per priority ignore priority 7 | The buffer monitoring tool on Mellanox switches only shows priority 0 thru 6 for the all_packet_pg statistics; priority 7 is not shown. This issue is fixed in Cumulus Linux 3.6.2. |
RN-882 (CM-20648) | When using VRF route leaking on a Mellanox switch, forwarded packets are copied to the CPU several times | When using VRF Route leaking on Mellanox switches in a VLAN-unaware bridge configuration, the packets for a locally attached leaked host are software forwarded. To work around this issue, use a VLAN-aware bridge configuration. This issue is fixed in Cumulus Linux 3.6.2. |
RN-883 (CM-20644) | If the PTP services are running when switchd is restarted, the PTP services need to be restarted | When using PTP and
This issue is fixed in Cumulus Linux 3.6.2. |
RN-889 (CM-20450) | Issuing the 'net add routing import-table' command results in an FRR service crash | The FRR service crashes when you run the To work around this issue, do not use the NCLU. This issue is fixed in Cumulus Linux 3.6.2. |
RN-891 (CM-20684) | On Mellanox switches, attempts to configure a VRF with a nexthop from another VRF results in an sx_sdk daemon crash and loss of forwarding functionality | VRF Route Leaking is not supported on Mellanox platforms in CL 3.6.0. Attempts to configure a VRF with a nexthop from another VRF can result in an This issue is fixed in Cumulus Linux 3.6.2. |
RN-902 (CM-19699) | BGP scaling not hashing southbound traffic from Infra switches | When routing traffic from Infra switches back through VXLAN, Infra switches are choosing one spine to send all flows through. This issue is fixed in Cumulus Linux 3.6.2. |
RN-947 (CM-20992) | RS FEC configuration cleared and not re-installed on switchd restart, leaving links down | During This issue is fixed in Cumulus Linux 3.6.2. |
RN-954 (CM-21062) | Redundant NCLU commands to configure the DHCP relay exits with return code 1 | When using the NCLU command to add a redundant DHCP relay, the command exits with an error instead of displaying a message that the DHCP relay server configuration already contains the IP address. This issue is fixed in Cumulus Linux 3.6.2. |
RN-964 (CM-21319) | When upgrading to Cumulus Linux 3.6, static routes in the default VRF are associated with other VRFs | When you upgrade to Cumulus Linux 3.6.x, static routes configured in the This issue is fixed in Cumulus Linux 3.6.2. |
RN-966 (CM-21297) | TACACS authenticated users in 'netshow' or 'netedit' groups cannot issue 'net' commands after upgrade to Cumulus Linux 3.6 | When upgrading from a previous release to Cumulus Linux 3.6, TACACS-authenticated users mapped to tacacs0 thru tacacs15 users with the netshow or netedit user groups cannot run
This behavior is seen when upgrading with simple authentication only and occurs without a restricted shell for command authorization being enabled. This problem is not present on a binary install of 3.6.0 or 3.6.1 and only happens when upgrading from previous releases. To work around this issue, edit the
After making this change, restart This issue is fixed in Cumulus Linux 3.6.2. |
RN-970 (CM-21203) | VXLAN and tcam_resource_profile set to acl-heavy, causes the switch to crash | Changing To work around this issue, remove the This issue is fixed in Cumulus Linux 3.6.2. |
RN-972 (CM-21003) | Cumulus Linux does not forward PTP traffic by default | A switch running Cumulus Linux 3.6.0 or later does not forward transit precision time protocol (PTP) packets as PTP is not enabled by default in Cumulus Linux. To work around this issue, downgrade the switch to Cumulus Linux 3.5.3. This issue is fixed in Cumulus Linux 3.6.2. |
RN-974 (CM-21383) | Mellanox does not install traps for multicast groups registered to the Kernel | Mellanox switches do not install traps in hardware to send multicast traffic to the kernel, even after registering the multicast group. This issue is fixed in Cumulus Linux 3.6.2. |
RN-976 (CM-21335) | EVPN route map with match VNI causes FRR core | Applying a route map using This issue is fixed in Cumulus Linux 3.6.2. |
RN-977 (CM-21508) | EVPN best path not reinstalled after EVPN type 2 MAC route is withdrawn | A remote VRR MAC that is normally learned through an EVPN Type-2 route is learned locally on a host-facing port. This is then propagated through a new Type-2 MAC route throughout the environment and remote access switch pairs install the erroneous route. To work around this issue, re-send the EVPN update from the infra pair by changing the VRR MAC or clearing the session. This issue is fixed in Cumulus Linux 3.6.2. |
RN-986 (CM-21256) | ARP storm in VXLAN symmetric routing | With VXLAN symmetric routing, it is possible to generate an ARP packet storm when SVI addresses are common across different racks. This issue is fixed in Cumulus Linux 3.6.2. |
RN-987 (CM-20938) | Debian Security Advisory DSA-4196-1 CVE-2018-1087 CVE-2018-8897 for the linux kernel package | The following CVEs were announced in Debian Security Advisory DSA-4196-1 and affect the Linux kernel. This issue is fixed in Cumulus Linux 3.6.2. -------------------------------------------------------------------------- Debian Security Advisory DSA-4196-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 08, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package: linux CVE ID: CVE-2018-1087 CVE-2018-8897 Debian Bug: 897427 897599 898067 898100 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service. CVE-2018-1087 Andy Lutomirski discovered that the KVM implementation did not properly handle #DB exceptions while deferred by MOV SS/POP SS, allowing an unprivileged KVM guest user to crash the guest or potentially escalate their privileges. CVE-2018-8897 Nick Peterson of Everdox Tech LLC discovered that #DB exceptions that are deferred by MOV SS or POP SS are not properly handled, allowing an unprivileged user to crash the kernel and cause a denial of service. For the oldstable distribution (jessie), these problems have been fixed in version 3.16.56-1+deb8u1. This update includes various fixes for regressions from 3.16.56-1 as released in DSA-4187-1 (Cf. #897427, #898067 and #898100). For the stable distribution (stretch), these problems have been fixed in version 4.9.88-1+deb9u1. The fix for CVE-2018-1108 applied in DSA-4188-1 is temporarily reverted due to various regression, cf. #897599. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux |
RN-988 (CM-20834) | Debian Security Advisory DSA 4187-1 for linux kernel | The following CVEs were announced in Debian Security Advisory DSA-4187-1 and affect the Linux kernel. This issue is fixed in Cumulus Linux 3.6.2. -------------------------------------------------------------------------- Debian Security Advisory DSA-4187-1 security@debian.org https://www.debian.org/security/ Ben Hutchings May 01, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package: linux CVE ID: CVE-2015-9016 CVE-2017-0861 CVE-2017-5715 CVE-2017-5753 CVE-2017-13166 CVE-2017-13220 CVE-2017-16526 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18017 CVE-2017-18203 CVE-2017-18216 CVE-2017-18232 CVE-2017-18241 CVE-2018-1066 CVE-2018-1068 CVE-2018-1092 CVE-2018-5332 CVE-2018-5333 CVE-2018-5750 CVE-2018-5803 CVE-2018-6927 CVE-2018-7492 CVE-2018-7566 CVE-2018-7740 CVE-2018-7757 CVE-2018-7995 CVE-2018-8781 CVE-2018-8822 CVE-2018-1000004 CVE-2018-1000199 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2015-9016 Ming Lei reported a race condition in the multiqueue block layer (blk-mq). On a system with a driver using blk-mq (mtip32xx, null_blk, or virtio_blk), a local user might be able to use this for denial of service or possibly for privilege escalation. CVE-2017-0861 Robb Glasser reported a potential use-after-free in the ALSA (sound) PCM core. We believe this was not possible in practice. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using the "retpoline" compiler feature which allows indirect branches to be isolated from speculative execution. CVE-2017-5753 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 1 (bounds-check bypass) and is mitigated by identifying vulnerable code sections (array bounds checking followed by array access) and replacing the array access with the speculation-safe array_index_nospec() function. More use sites will be added over time. CVE-2017-13166 A bug in the 32-bit compatibility layer of the v4l2 ioctl handling code has been found. Memory protections ensuring user-provided buffers always point to userland memory were disabled, allowing destination addresses to be in kernel space. On a 64-bit kernel a local user with access to a suitable video device can exploit this to overwrite kernel memory, leading to privilege escalation. CVE-2017-13220 Al Viro reported that the Bluetooth HIDP implementation could dereference a pointer before performing the necessary type check. A local user could use this to cause a denial of service. CVE-2017-16526 Andrey Konovalov reported that the UWB subsystem may dereference an invalid pointer in an error case. A local user might be able to use this for denial of service. CVE-2017-16911 Secunia Research reported that the USB/IP vhci_hcd driver exposed kernel heap addresses to local users. This information could aid the exploitation of other vulnerabilities. CVE-2017-16912 Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to an out-of-bounds read. A remote user able to connect to the USB/IP server could use this for denial of service. CVE-2017-16913 Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to excessive memory allocation. A remote user able to connect to the USB/IP server could use this for denial of service. CVE-2017-16914 Secunia Research reported that the USB/IP stub driver failed to check for an invalid combination of fields in a received packet, leading to a null pointer dereference. A remote user able to connect to the USB/IP server could use this for denial of service. CVE-2017-18017 Denys Fedoryshchenko reported that the netfilter xt_TCPMSS module failed to validate TCP header lengths, potentially leading to a use-after-free. If this module is loaded, it could be used by a remote attacker for denial of service or possibly for code execution. CVE-2017-18203 Hou Tao reported that there was a race condition in creation and deletion of device-mapper (DM) devices. A local user could potentially use this for denial of service. CVE-2017-18216 Alex Chen reported that the OCFS2 filesystem failed to hold a necessary lock during nodemanager sysfs file operations, potentially leading to a null pointer dereference. A local user could use this for denial of service. CVE-2017-18232 Jason Yan reported a race condition in the SAS (Serial-AttachedSCSI) subsystem, between probing and destroying a port. This could lead to a deadlock. A physically present attacker could use this to cause a denial of service. CVE-2017-18241 Yunlei He reported that the f2fs implementation does not properly initialise its state if the "noflush_merge" mount option is used. A local user with access to a filesystem mounted with this option could use this to cause a denial of service. CVE-2018-1066 Dan Aloni reported to Red Hat that the CIFS client implementation would dereference a null pointer if the server sent an invalid response during NTLMSSP setup negotiation. This could be used by a malicious server for denial of service. CVE-2018-1068 The syzkaller tool found that the 32-bit compatibility layer of ebtables did not sufficiently validate offset values. On a 64-bit kernel, a local user with the CAP_NET_ADMIN capability (in any user namespace) could use this to overwrite kernel memory, possibly leading to privilege escalation. Debian disables unprivileged user namespaces by default. CVE-2018-1092 Wen Xu reported that a crafted ext4 filesystem image would trigger a null dereference when mounted. A local user able to mount arbitrary filesystems could use this for denial of service. CVE-2018-5332 Mohamed Ghannam reported that the RDS protocol did not sufficiently validate RDMA requests, leading to an out-of-bounds write. A local attacker on a system with the rds module loaded could use this for denial of service or possibly for privilege escalation. CVE-2018-5333 Mohamed Ghannam reported that the RDS protocol did not properly handle an error case, leading to a null pointer dereference. A local attacker on a system with the rds module loaded could possibly use this for denial of service. CVE-2018-5750 Wang Qize reported that the ACPI sbshc driver logged a kernel heap address. This information could aid the exploitation of other vulnerabilities. CVE-2018-5803 Alexey Kodanev reported that the SCTP protocol did not range-check the length of chunks to be created. A local or remote user could use this to cause a denial of service. CVE-2018-6927 Li Jinyue reported that the FUTEX_REQUEUE operation on futexes did not check for negative parameter values, which might lead to a denial of service or other security impact. CVE-2018-7492 The syzkaller tool found that the RDS protocol was lacking a null pointer check. A local attacker on a system with the rds module loaded could use this for denial of service. CVE-2018-7566 Fan LongFei reported a race condition in the ALSA (sound) sequencer core, between write and ioctl operations. This could lead to an out-of-bounds access or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation. CVE-2018-7740 Nic Losby reported that the hugetlbfs filesystem's mmap operation did not properly range-check the file offset. A local user with access to files on a hugetlbfs filesystem could use this to cause a denial of service. CVE-2018-7757 Jason Yan reported a memory leak in the SAS (Serial-Attached SCSI) subsystem. A local user on a system with SAS devices could use this to cause a denial of service. CVE-2018-7995 Seunghun Han reported a race condition in the x86 MCE (Machine Check Exception) driver. This is unlikely to have any security impact. CVE-2018-8781 Eyal Itkin reported that the udl (DisplayLink) driver's mmap operation did not properly range-check the file offset. A local user with access to a udl framebuffer device could exploit this to overwrite kernel memory, leading to privilege escalation. CVE-2018-8822 Dr Silvio Cesare of InfoSect reported that the ncpfs client implementation did not validate reply lengths from the server. An ncpfs server could use this to cause a denial of service or remote code execution in the client. CVE-2018-1000004 Luo Quan reported a race condition in the ALSA (sound) sequencer core, between multiple ioctl operations. This could lead to a deadlock or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation. CVE-2018-1000199 Andy Lutomirski discovered that the ptrace subsystem did not sufficiently validate hardware breakpoint settings. Local users can use this to cause a denial of service, or possibly for privilege escalation, on x86 (amd64 and i386) and possibly other architectures. For the oldstable distribution (jessie), these problems have been fixed in version 3.16.56-1. For the detailed security status of linux, refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux |
RN-1005 (CM-21490) | On Mellanox switches, when a ERSPAN forwarding rule is defined and non-atomic update mode is enabled, traffic is blocked | When ERSPAN is enabled on a Mellanox switch and non_atomic_update_mode = TRUE, traffic through the switch is blocked. This issue is fixed in Cumulus Linux 3.6.2. |
RN-1007 (CM-21599) | With ECMP rebalance enabled for PIM, multicast stream loss might occur following a link failure | If you shut down the RPF nexthop switch after the last hop router builds the SPT, the switch might not failover to the alternate ECMP RPF nexthop. This issue is fixed in Cumulus Linux 3.6.2. |
RN-1008 (CM-21396) | The 'net del interface bridge vids' command removes the interface from the bridge ports list | If you run the To work around this issue, add the interface back to the bridge with the This issue is fixed in Cumulus Linux 3.6.2. |
RN-1009 (CM-21474) | Multiple sx_core: lag_id errors in syslog | On Mellanox swtiches, when the input port of a sampled packet is a bond interface, you see multiple This issue is fixed in Cumulus Linux 3.6.2. |
RN-1010 (CM-21352) | Debian Security Advisory DSA-4212-1 CVE-2018-11235 for the git package | The following CVE was announced in Debian Security Advisory DSA-4212-1 and affects the git package. This issue is fixed in Cumulus Linux 3.6.2. ------------------------------------------------------------------------- Debian Security Advisory DSA-4212-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 29, 2018 https://www.debian.org/security/faq -------------------------------------------------------------------------- Package : git CVE ID : CVE-2018-11235 Etienne Stalmans discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability exploitable via specially crafted submodule names in a .gitmodules file. For the oldstable distribution (jessie), this problem has been fixed in version 1:2.1.4-2.1+deb8u6. For the stable distribution (stretch), this problem has been fixed in version 1:2.11.0-3+deb9u3. We recommend that you upgrade your git packages. For the detailed security status of git please refer to its security tracker page at: https://security-tracker.debian.org/tracker/git |
RN-1011 (CM-21350) | Debian Security Advisory DSA 4224-1 CVE-2018-12020 for the gnupg package | The following CVE was announced in Debian Security Advisory DSA-4224-1 and affects the gnupg package. This issue is fixed in Cumulus Linux 3.6.2. ------------------------------------------------------------------------- Debian Security Advisory DSA-4224-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 08, 2018 https://www.debian.org/security/faq -------------------------------------------------------------------------- Package : gnupg CVE ID : CVE-2018-12020 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html For the oldstable distribution (jessie), this problem has been fixed in version 1.4.18-7+deb8u5. For the detailed security status of gnupg, refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg |
RN-1012 (CM-21351) | Debian Security Advisory DSA 4222-1 CVE-2018-12020 for the gnupg2 package | The following CVE was announced in Debian Security Advisory DSA-4222-1 and affects the gnupg2 package. This issue is fixed in Cumulus Linux 3.6.2. ------------------------------------------------------------------------- Debian Security Advisory DSA-4222-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 08, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : gnupg2 CVE ID : CVE-2018-12020 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html For the oldstable distribution (jessie), this problem has been fixed in version 2.0.26-6+deb8u2. For the stable distribution (stretch), this problem has been fixed in version 2.1.18-8~deb9u2. For the detailed security status of gnupg2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg2 |
RN-1013 (CM-20926) | Debian Security Advisory DSA-4195-1 CVE-2018-0494 for the wget package | The following CVEs were announced in Debian Security Advisory DSA-4195-1 and affect the wget package. This issue is fixed in Cumulus Linux 3.6.2. ------------------------------------------------------------------------- Debian Security Advisory DSA-4195-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 08, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : wget CVE ID : CVE-2018-0494 Debian Bug : 898076 Harry Sintonen discovered that wget, a network utility to retrieve files from the web, does not properly handle '\r\n' from continuation lines while parsing the Set-Cookie HTTP header. A malicious web server could use this flaw to inject arbitrary cookies to the cookie jar file, adding new or replacing existing cookie values. For the oldstable distribution (jessie), this problem has been fixedin version 1.16-1+deb8u5. For the stable distribution (stretch), this problem has been fixed in version 1.18-5+deb9u2. We recommend that you upgrade your wget packages. For the detailed security status of wget please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wget |
RN-1014 (CM-21349) | Debian Security Advisory DSA-4226-1 CVE-2018-12015 for the perl package | The following CVEs were announced in Debian Security Advisory DSA-4226-1 and affect the perl package. This issue is fixed in Cumulus Linux 3.6.2. ------------------------------------------------------------------------- Debian Security Advisory DSA-4226-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 12, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : perl CVE ID : CVE-2018-12015 Debian Bug : 900834 Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive. For the oldstable distribution (jessie), this problem has been fixed in version 5.20.2-3+deb8u11. For the stable distribution (stretch), this problem has been fixed in version 5.24.1-3+deb9u4. We recommend that you upgrade your perl packages. For the detailed security status of perl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/perl |
RN-1015 (CM-20865) | clagd memory growth during oversubscription test | During an oversubscription test where more than 100G of traffic is destined for an MLAG host bond, the host bond bounces and MLAG memory usage grows to over 1.2GB. After stopping Ixia traffic and protocols, the This issue is fixed in Cumulus Linux 3.6.2. |
RN-1016 (CM-20803) | Debian Security Advisory DSA-4186-1 CVE-2018-1000164 for gunicorn package | The following CVEs were announced in Debian Security Advisory DSA-4186-1 and affect the gunicorn package. This issue is fixed in Cumulus Linux 3.6.2. ------------------------------------------------------------------------- Debian Security Advisory DSA-4186-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 28, 2018 https://www.debian.org/security/faq -------------------------------------------------------------------------- Package : gunicorn CVE ID : CVE-2018-1000164 It was discovered that gunicorn, an event-based HTTP/WSGI server was susceptible to HTTP Response splitting. For the oldstable distribution (jessie), this problem has been fixed in version 19.0-1+deb8u1. We recommend that you upgrade your gunicorn packages. For the detailed security status of gunicorn please refer to its security tracker page at: |
RN-1017 (CM-21348) | Debian Security Advisory DSA-4217-1 CVE-2018-9273 CVE-2018-7320 CVE-2018-7334 CVE-2018-7335 CVE-2018-7419 CVE-2018-9261 CVE-2018-9264 CVE-2018-11358 CVE-2018-11360 CVE-2018-11362 for wireshark | The following CVEs were announced in Debian Security Advisory DSA-4217-1 and affect the wireshark package. This issue is fixed in Cumulus Linux 3.6.2. ------------------------------------------------------------------------- Debian Security Advisory DSA-4217-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 03, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : wireshark CVE ID : CVE-2018-9273 CVE-2018-7320 CVE-2018-7334 CVE-2018-7335 CVE-2018-7419 CVE-2018-9261 CVE-2018-9264 CVE-2018-11358 CVE-2018-11360 CVE-2018-11362 It was discovered that Wireshark, a network protocol analyzer, contained several vulnerabilities in the dissectors for PCP, ADB, NBAP, UMTS MAC, IEEE 802.11, SIGCOMP, LDSS, GSM A DTAP and Q.931, which result in denial of service or the execution of arbitrary code. For the oldstable distribution (jessie), these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u14. For the stable distribution (stretch), these problems have been fixed in version 2.2.6+g32dac6a-2+deb9u3. For the detailed security status of wireshark, refer to its security tracker page at: https://security-tracker.debian.org/tracker/wireshark |
RN-1018 (CM-20799) | Cannot use NCLU to add or delete RADIUS client IP addresses for 802.1X interfaces | This issue is fixed in Cumulus Linux 3.6.2. |
RN-1019 (CM-21156) | Debian Security Advisory DSA-4211-1 CVE-2017-18266 for xdg-utils package | The following CVEs were announced in Debian Security Advisory DSA-4211-1 and affect the xdg-utils package. This issue is fixed in Cumulus Linux 3.6.2. ------------------------------------------------------------------------- Debian Security Advisory DSA-4211-1 security@debian.org https://www.debian.org/security/ Luciano Bello May 25, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : xdg-utils CVE ID : CVE-2017-18266 Debian Bug : 898317 Gabriel Corona discovered that xdg-utils, a set of tools for desktop environment integration, is vulnerable to argument injection attacks. If the environment variable BROWSER in the victim host has a "%s" and the victim opens a link crafted by an attacker with xdg-open, the malicious party could manipulate the parameters used by the browser when opened. This manipulation could set, for example, a proxy to which the network traffic could be intercepted for that particular execution. For the oldstable distribution (jessie), this problem has been fixed in version 1.1.0~rc1+git20111210-7.4+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1.1.1-1+deb9u1. For the detailed security status of xdg-utils, refer to its security tracker page at: https://security-tracker.debian.org/tracker/xdg-utils |
RN-1020 (CM-21098) | Debian Security Advisory DSA-4208-1 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 for procps top, ps command | The following CVEs were announced in Debian Security Advisory DSA-4208-1 and affect the procps package. This issue is fixed in Cumulus Linux 3.6.2. ------------------------------------------------------------------------- Debian Security Advisory DSA-4208-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 22, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : procps CVE ID : CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 Debian Bug : 899170 The Qualys Research Labs discovered multiple vulnerabilities in procps, a set of command line and full screen utilities for browsing procfs. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-1122 top reads its configuration from the current working directory if no $HOME was configured. If top were started from a directory writable by the attacker (such as /tmp) this could result in local privilege escalation. CVE-2018-1123 Denial of service against the ps invocation of another user. CVE-2018-1124 An integer overflow in the file2strvec() function of libprocps couldresult in local privilege escalation. CVE-2018-1125 A stack-based buffer overflow in pgrep could result in denial of service for a user using pgrep for inspecting a specially crafted process. CVE-2018-1126 Incorrect integer size parameters used in wrappers for standard allocators could cause integer truncation and lead to integer overflow issues. For the oldstable distribution (jessie), these problems have been fixed in version 2:3.3.9-9+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 2:3.3.12-3+deb9u1. For the detailed security status of procps, refer to its security tracker page at: https://security-tracker.debian.org/tracker/procps A full readable description of the vulnerabilities is here: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt They are all local issues only, Denial of Service, and a top privilege escalation. |
RN-1022 (CM-20697) | Debian Security Advisory DSA-4176-1 CVE-2018-2755 CVE-2018-2761 CVE-2018-2771 CVE-2018-2773 CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818 CVE-2018-2819 for the mysql package | The following CVEs were announced in Debian Security Advisory DSA-4211-1 and affect the mysql library and common packages. This issue is fixed in Cumulus Linux 3.6.2. -------------------------------------------------------------------------- Debian Security Advisory DSA-4176-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 20, 2018 https://www.debian.org/security/faq -------------------------------------------------------------------------- Package : mysql-5.5 CVE ID : CVE-2018-2755 CVE-2018-2761 CVE-2018-2771 CVE-2018-2773 CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818 CVE-2018-2819 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.60, which includes additional changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-60.html http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html For the oldstable distribution (jessie), these problems have been fixed in version 5.5.60-0+deb8u1. We recommend that you upgrade your mysql-5.5 packages. For the detailed security status of mysql-5.5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mysql-5.5 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ |
RN-1023 (CM-20138) | NCLU errors out on a breakout port when the port is already configured in a bridge | It's been reported that splitting a switch port removes it from the bridge. This issue is fixed in Cumulus Linux 3.6.2. |
RN-1024 (CM-21047) | cl-support takes a long time to complete when a large amount of space is allocated to /var/log/lastlog | When there is a lot of space allocated to This issue is fixed in Cumulus Linux 3.6.2. |
RN-1026 (CM-21012) | Debian Security Advisory DSA-4202-1 CVE-2018-1000301 for the curl package | The following CVEs were announced in Debian Security Advisory DSA-4202-1 and affect the curl package. This issue is fixed in Cumulus Linux 3.6.2. ------------------------------------------------------------------------- Debian Security Advisory DSA-4202-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini May 16, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : curl CVE ID : CVE-2018-1000301 Debian Bug : 898856 OSS-fuzz, assisted by Max Dymond, discovered that cURL, an URL transfer library, could be tricked into reading data beyond the end of a heap based buffer when parsing invalid headers in an RTSP response. For the oldstable distribution (jessie), this problem has been fixed in version 7.38.0-4+deb8u11. For the stable distribution (stretch), this problem has been fixed in version 7.52.1-5+deb9u6. For the detailed security status of curl, refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl |
RN-1028 (CM-20728) | Errors occur when installing TOS matched rules in ip6tables | The following error occurs when trying to install a TOS matched rule in ip6tables:
This issue is fixed in Cumulus Linux 3.6.2. |
RN-1029 (CM-21564) | NCLU configuration fails to commit due to invalid value for ip-forward or ip6-forward | After upgrading to Cumulus Linux 3.6.1 on Facebook Backpack switches, NCLU configuration fails to commit because of the default This issue is fixed in Cumulus Linux 3.6.2. |
New Known Issues in Cumulus Linux 3.6.2
The following issues are new to Cumulus Linux and affect the current release.
Release Note ID | Summary | Description |
---|---|---|
RN-975 (CM-21658) | candidate EVPN best path not re-installed after EVPN type-2 MAC route is withdrawn | If hosts nodes reflect or bridge a frame received from access switch pairs back to the switches, a remote VRR virtual MAC that is normally learned through an EVPN type-2 MAC+IP (centralized advertise-default-gw) route is learned locally on a host-facing port. This is then propagated through a new type-2 MAC route throughout the environment and remote access switch pairs install the erroneous route. To work around this issue, resend the EVPN update from the infra pair by changing the VRR MAC or clear the session. This is a known issue that is currently being investigated. |
RN-979 (CM-21691) | When removing a dot1x configured port from a traditional bridge, the net pending command does not show the changes | When removing a dot1x configured port from a traditional bridge, the This is a known issue and should be fixed in a future release of Cumulus Linux. |
RN-980 (CM-21653) | Incorrect VLAN translation tags on double tagged bridge interfaces | A bridge with double tag translation configured on a member interface correctly maps the VLAN tags in the outgoing ARP request frame, but incorrectly maps the VLAN tags on the incoming ARP reply. This is a known issue that is currently being investigated. |
RN-982 (CM-21598) | IGMP configuration does not persist through a switch reboot | The order of the query interval and maximum response time parameters in an IGMP interface configuration together with an insufficient response time value causes the IGMP configuration to be lost during a switch reboot. The maximum response time cannot be greater than or equal to the query interval, and the maximum response time must be read before the interval. To work around this issue temporarily, move the query interval parameter to follow the This issue is being investigated at this time. |
RN-989 (CM-9695) | cl-resource-query: ACL metrics are displayed as 0 on a Mellanox switch | ACL-related metrics reported by
To work around this issue, run the Mellanox
This is a known issue and should be fixed in a future release of Cumulus Linux. |
RN-990 (CM-19647) | With EVPN symmetric routing on a Trident II+ or Maverick switch, forwarding with overlay ECMP routes does not work | Packets from a host to a destination that is reachable through a VXLAN overlay ECMP path might not get forwarded. The forwarding might work if the underlying ECMP members point to the CPU, because of software forwarding. The issue is seen on a leaf switch connected to the host sending the traffic. The issue can also been seen on a leaf switch connecting towards the destination where that egress route is ECMP. Depending upon your network topology, one way to work around this issue is to use an as-path prepend so that one of the type 5 routes sent has a longer as-path:
This results in having just one route in the FIB:
|
RN-991 (CM-20316) | arp_accept and arp_ignore do not work for SVIs if a bridge has VXLAN interfaces | On a Cumulus Linux switch, if a bridge has VXLAN interfaces, then the To work around this issue, disable ARP suppression on the VXLAN interfaces. For example, if the VXLAN is named vni100, disable ARP suppression on it with the following command:
This issue should be fixed in a future release of Cumulus Linux. |
RN-992 (CM-20570) | Disabled services started after running `net del all` then `net commit` | After running the This is a known issue and should be fixed in a future release of Cumulus Linux. |
RN-993 (CM-20585) | Routes learned via EVPN clouds do not get summarized | Routes that are learned from an EVPN cloud don't get summarized. Only routes that reside on or are owned by a switch get summarized. This is a known issue and should be fixed in a future release of Cumulus Linux. |
RN-994 (CM-21332) | switchd doesn't assign a gport for a VLAN subinterface | When two VLAN subinterfaces are bridged to each other in a traditional mode bridge, To work around this issue, you can do one of two things:
This issue should be fixed in a future release of Cumulus Linux. |
RN-995 (CM-21373) | Debian Security advisory DSA-4231-1/CVE-2018-0495 for libgcrypt20 package | Debian issued the following security advisory, DSA-4231-1, which affects the libgcrypt20 package. This advisory applies only to Debian Stretch release. Debian Jessie, upon which Cumulus Linux 3.0 - 3.6.2 is based, is vulnerable, but the vulnerability has not been fixed upstream in Debian yet. ------------------------------------------------------------------------- Debian Security Advisory DSA-4231-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 17, 2018 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : libgcrypt20 CVE ID : CVE-2018-0495 It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys. For the stable distribution (stretch), this problem has been fixed in version 1.7.6-2+deb9u3. We recommend that you upgrade your libgcrypt20 packages. For the detailed security status of libgcrypt20 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libgcrypt20 This issue will be fixed in a future version of Cumulus Linux when a fix made available for Debian Jessie. |
RN-996 (CM-21379) | Floating static route is not installed into the FIB when the primary route becomes unavailable | If a primary route becomes unavailable (for example, you run To work around this issue, configure routes as ECMP:
This issue should be fixed in a future release of Cumulus Linux. |
RN-997 (CM-21393) | A VXLAN implementation is using a UDP source port lower than 1024 | Because VXLAN encapsulation uses a full range of source ports, it is possible for Cumulus Linux switches to generate packets with UDP source ports numbered lower than 1023. This might result in the traffic being mishandled in your network if you have rules in place to handle this traffic differently. For example, you might have DSCP setup for this port range. To work around this issue, avoid using the well known port range for sourcing VXLAN traffic. This issue should be fixed in a future release of Cumulus Linux. |
RN-998 (CM-21398) | Creating a MGMT ACL via NCLU results in a FORWARD entry | If you use NCLU to configure an ACL for eth0, you cannot designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the This issue should be fixed in a future release of Cumulus Linux. |
RN-999 (CM-21422) | The NCLU `net show config` command shows the configuration that is pending and not the one that was committed | If you have any pending changes in the NCLU buffer, when you run This issue should be fixed in a future release of Cumulus Linux. |
RN-1000 (CM-21454) | Creating a new traditional mode bridge causes temporary traffic loss | Sometimes when creating a new bridge in traditional mode, an outage of 20-30 seconds can occur when running This issue should be fixed in a future release of Cumulus Linux. |
RN-1002 (CM-21556) | FRR next-hop resolution changes are not updated when applying a VRF to an interface after routes are configured in FRR | When adding new SVIs and static VRF routes in FRR, the appropriate VRF is applied to the interface in the kernel after the static routes are configured in FRR. When the kernel interface changes to the appropriate VRF, FRR next-hop resolution is not updated with the valid connected next-hop interface. To work around this issue, remove and re-add the static routes. This issue is being investigated at this time. |
RN-1003 (CM-21511) | IGMP queries are not sent if a VXLAN is declared before the bridge in /etc/network/interfaces | If a VNI is configured before the bridge in To work around this issue, edit the
This issue is being investigated at this time. |
RN-1004 (CM-21496) | Scalability of redistribute neighbor limits the number of supported hosts | A Cumulus Linux switch cannot manage Docker containers running on 500 hosts. Entries in table 10 start to expire and are removed from the table. To work around this issue, modify the ebtable rules for This issue is being investigated at this time. |
RN-1006 (CM-20644) | The ptp4l and phc2sys services are enabled by default resulting in repeated syslog messages | In Cumulus Linux 3.6.1 and later, the ptp4l and phc2sys services are enabled by default. If you are not using PTP or PTP is not configured, the logs are repeatedly filled with messages similar to the following.
To work around this issue in Cumulus Linux 3.6.2, add
This issue should be fixed in a future release of Cumulus Linux. |
RN-1027 (CM-21707) | On Maverick switches, enabling auto-negotiation on 10G (all) and 1G SFP RJ45 breaks the link | On a Maverick switch, if auto-negotiation is configured on a 10G interface and the installed module does not support auto-negotiation (for example, 10G DAC, 10G Optical, 1G RJ45 SFP), the link breaks. To work around this issue, disable auto-negotiation on interfaces where it is not supported. See the Interface Configuration Recommendations for information about configuring auto-negotiation. This issue is being investigated at this time. |
RN-1062 (CM-22863) | Input chain ACLs do not apply in hardware on Broadcom platforms | Input chain ACLs do not apply in hardware on Broadcom platforms and input packets are processed against rules in the kernel instead. This can result in rules with the drop action not applying in hardware and the packets reaching the kernel. This issue is being investigated at this time. |
RN-1168 (CM-22538) | If the /etc/network/interfaces alias is different from the frr.conf description, an /etc/frr/daemons error occurs when deleting the interface | When deleting an interface using NCLU, if the "/etc/frr/daemons was modified by another user." Despite this error being returned, the change still goes through, and the description gets removed from the This issue is fixed in Cumulus Linux 3.7.0. |
RN-1200 (CM-21566) | Changing BGP autonomous system numbers (ASN) when using EVPN stops programming of VXLAN forwarding entries | If you change the ASN configuration on a switch running EVPN then reload the FRR service (using To avoid this issue when making this change, restart the FRR process (using This issue is fixed in Cumulus Linux 3.7.0. |
RN-1315 (CM-24330) | On a Mellanox switch, when you change the VRF membership on an SVI with VRR configured, the VRR MAC is not programmed into hardware | On a Mellanox switch, when you change the VRF membership of an interface with VRR enabled, the VRR MAC address is not properly programmed into hardware. To work around this issue, delete and recreate the interface using This is a known issue that is currently being investigated. |
RN-1334 (CM-24316) | MSTP ignores BPDU from a dual-connected system | MSTP ignores BPDU from a dual-connected system. This is a known issue that is currently being investigated. |
RN-1455 (CM-24858) | On Broadcom switches,TPID programming is not reset on configuration change | On the Broadcom switch, TPID programming is not reset when there is a configuration change. As a result, you see unexpected packet drops. This is a known issue that is currently being investigated. |
RN-1485 (CM-20864) | The NCLU command to configure route leaking fails if the VRF is named 'red' | The NCLU command to configure route leaking fails if the VRF is named red. This is not a problem if the VRF is named RED (uppercase letters) or has a name other than red. To work around this issue, rename the VRF or run the vtysh command instead. This is a known issue that is currently being investigated. |
RN-1524 (CM-25754) | ARP replies are not forwarded as VXLAN over VXLAN | A port that is used as both a double tag interface and a VXLAN access side interface does not forward correctly; VXLAN decapsulation is does not occur. This is a known issue that is currently being investigated. |
Issues Fixed in Cumulus Linux 3.6.1
The following is a list of issues fixed in Cumulus Linux 3.6.1 from earlier versions of Cumulus Linux.
Release Note ID | Summary | Description |
---|---|---|
RN-766 (CM-19006) | On the Broadcom Trident II+ and Maverick platform, in an external VXLAN routing environment, the switch does not rewrite MAC addresses and TTL, so packets are dropped by the next hop | On the Broadcom Trident II+ and Maverick based switch, in an external VXLAN routing environment, when a lookup is done on the external-facing switch (exit/border leaf) after VXLAN decapsulation, the switch does not rewrite the MAC addresses and TTL; for through traffic, packets are dropped by the next hop instead of correctly routing from a VXLAN overlay network into a non-VXLAN external network (for example, to the Internet). This issue affects all traffic from VXLAN overlay hosts that need to be routed after VXLAN decapsulation on an exit/border leaf, including:
To work around this issue, modify the external-facing interface for each VLAN sub-interface by creating a temporary VNI and associating it with the existing VLAN ID. For example, if the expected interface configuration is:
Modify the configuration as follows:
|
RN-860 (CM-20695) | Tab completion with 'net add vxlan' command produces traceback in the log | When using tab completion with the
This issue is fixed in Cumulus Linux 3.6.1. |
RN-876 (CM-20776) | EVPN symmetric IRB with numbered neighbors omits the NEXTHOP attribute when advertising to an external router | With EVPN symmetric routing (including type-5 routes) you can only advertise host routes or prefix routes learned through EVPN to a VRF peer if EVPN peering uses BGP unnumbered. If the BGP peering is numbered, the This issue is fixed in Cumulus Linux 3.6.1. |
RN-887 (CM-20474) | VXLAN Encapsulation drops ARP QinQ tunneled packets | When an ARP request or response (or IPv6 NS/NA) packet with double VLAN tags (such as 802.1Q over 802.1Q), is sent to a VXLAN overlay, the outer VLAN tag is stripped during VXLAN encapsulation. If the receiving VTEP is a Broadcom Trident II + platform, the post VXLAN decapsulated packet is incorrectly directed to the control plane. As the packet traverses the linux kernel VXLAN interface into the VLAN-aware bridge device, the exposed inner VLAN tag is incorrectly used for VLAN filtering against the outer VLAN set, causing the packet to be discarded. This issue is fixed in Cumulus Linux 3.6.1. |
RN-890 (CM-20415) | On Maverick QCT LY7, Tomahawk+ AS7312 and DNI AG5648 switches, sysfs tree differences cause portwd startup failure | Inserting a 1000 BASE-T RJ-45 SFP adapter into a Maverick QCT LY7, Tomahawk + AS7312 or DNI AG5648 switch causes To work around this issue, do not use 1000BASE-T RJ-45 modules on the impacted switches. This issue is fixed in Cumulus Linux 3.6.1. |
RN-897 (CM-20086) | FRR doesn't support hostnames starting with a digit | NCLU reports an error attempting to configure FRR when the configured hostname begins with a digit:
To work around this issue, change the hostname of the switch to begin with an alphabetic character; not a digit. This issue is fixed in Cumulus Linux 3.6.1. |
RN-904 (CM-20800) | NCLU net add and net del commands missing for EVPN type-5 default originate | The NCLU This issue is fixed in Cumulus Linux 3.6.1. |
RN-907 (CM-20829) | netd fails on start after apt upgrade to 3.6.0 with "ImportError: No module named time" | When you use the This issue is fixed in Cumulus Linux 3.6.1. |
RN-933 (CM-20781) | NCLU 'net add bgp neighbor' command with swp1, swp2, or swp1-2 causes TB NameError | Issuing the
This issue is fixed in Cumulus Linux 3.6.1. |
RN-935 (CM-20772) | ACL rule unable to match interface eth0 when belonging to VRF | ACL rules do not block incoming packets when interface eth0 belongs to a VRF. This issue is fixed in Cumulus Linux 3.6.1. |
RN-936 (CM-20418) | ACL to only allow ARP prevents ARP on SVIs | ACL rules that only allow ARP packets prevent ARP packets from reaching SVIs. This issue is fixed in Cumulus Linux 3.6.1. |
RN-937 (CM-19301) | Increase maximum sflow sampling ratio | The maximum sflow sampling ratio is too low and might overload the switch CPU. This is fixed in Cumulus Linux 3.6.1. The ratio is increased to 1:100000 in hsflowd. |
RN-944 (CM-20841) | netd fails to start for apt-upgrade from 3.3.2 to 3.6.0 | When upgrading from Cumulus Linux 3.3.2 to 3.6.0 using the This issue is fixed in Cumulus Linux 3.6.1. |
RN-945 (CM-20311) | Security: DSA-4157-1 for openssl issues CVE-2017-3738 CVE-2018-0739 | The following CVEs were announced in Debian Security Advisory DSA-4157-1, and affect the openssl package. This issue is fixed in Cumulus Linux 3.6.1. -------------------------------------------------------------------------- Debian Security Advisory DSA-4157-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 29, 2018 https://www.debian.org/security/faq -------------------------------------------------------------------------- Package : openssl CVE ID : CVE-2017-3738 CVE-2018-0739 Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-3738 David Benjamin of Google reported an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. CVE-2018-0739 It was discovered that constructed ASN.1 types with a recursive definition could exceed the stack, potentially leading to a denial of service. Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20180327.txt For the oldstable distribution (jessie), these problems have been fixed in version 1.0.1t-1+deb8u8. The oldstable distribution is not affected by CVE-2017-3738. For the stable distribution (stretch), these problems have been fixed in version 1.1.0f-3+deb9u2. We recommend that you upgrade your openssl packages. For the detailed security status of openssl please refer to its security tracker page at: |
RN-946 (CM-20603) | Security: DSA-4172-1 for perl issues CVE-2018-6797 CVE-2018-6798 CVE-2018-6913 | The following CVEs were announced in Debian Security Advisory DSA-4172-1 and affect the perl package. This issue is fixed in Cumulus Linux 3.6.1. -------------------------------------------------------------------------- Debian Security Advisory DSA-4172-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 14, 2018 https://www.debian.org/security/faq -------------------------------------------------------------------------- Package : perl CVE ID : CVE-2018-6797 CVE-2018-6798 CVE-2018-6913 Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-6797 Brian Carpenter reported that a crafted regular expression could cause a heap buffer write overflow, with control over the bytes written. CVE-2018-6798 Nguyen Duc Manh reported that matching a crafted locale dependent regular expression could cause a heap buffer read overflow and potentially information disclosure. CVE-2018-6913 GwanYeong Kim reported that 'pack()' could cause a heap buffer write overflow with a large item count. For the oldstable distribution (jessie), these problems have been fixed in version 5.20.2-3+deb8u10. The oldstable distribution (jessie) update contains only a fix for CVE-2018-6913. For the stable distribution (stretch), these problems have been fixed in version 5.24.1-3+deb9u3. We recommend that you upgrade your perl packages. For the detailed security status of perl please refer to its security tracker page at: |
RN-949 (CM-21038) | VRF stops working when /etc/resolv.conf does not exist | When upgrading to Cumulus Linux 3.6.0, if the This issue is fixed in Cumulus Linux 3.6.1. |
RN-958 (CM-21095) | NCLU 'net add bgp neighbor ' command does not create or enable the interface if it is not previously defined | When you run the This issue is fixed in Cumulus Linux 3.6.1. |
RN-962 (CM-21026) | DHCP request packets in VXLAN decapsulation do not go to CPU | On Broadcom platforms configured with a VXLAN centralized routing gateway, DHCP discover packets are not correctly processed for DHCP relay. This issue is fixed in Cumulus Linux 3.6.1. |
New Known Issues in Cumulus Linux 3.6.1
The following issues are new to Cumulus Linux and affect the current release.
Release Note ID | Summary | Description |
---|---|---|
RN-875 (CM-20779) | On Mellanox switches, withdrawal of one ECMP next-hop results in the neighbor entry for that next hop to be missing from hardware | On a Mellanox switch, when you withdraw one ECMP next hop, the neighbor entry for that next hop is missing from the hardware. To work around this issue, manually delete the ARP entry from kernel with the This issue should be fixed in an upcoming release of Cumulus Linux. |
RN-938 (CM-20979) | Removing a VLAN from a bridge configured with VXLAN results in an outage | Removing a VLAN from a bridge configured with VXLAN causes a network service outage until the configuration change is reverted with the To work around this issue, remove the VNI interface first, then remove the unused VLAN from the bridge. This issue is being investigated at this time. |
RN-939 (CM-20944) | On Maverick switches, random links might not come up on boot when enabling RS FEC with 100G AOC cables | On Maverick 100G switches, after enabling FEC on links with 100G AOC cables, random links do not come up after a reboot. To work around this issue, disable FEC on 100G AOC links. This issue is being investigated at this time. |
RN-940 (CM-20813) | On Mellanox switches, packets are not mirrored on matching '-out-interface bond0' SPAN rules | Span rules that match the out-interface as a bond do not mirror packets. This is a regression of an earlier issue and is being investigated at this time. |
RN-941 (CM-20806) | When configuring layer 2 VPN EVPN in vtysh, if the route-target matches the VNI and AS number, the configuration does not display the route target | When configuring layer 2 VPN EVPN in vtysh, if a This issue is being investigated at this time. |
RN-942 (CM-20693) | In NCLU, you can only set the community number in a route map | In NCLU, you can only set the community number in a route map. You cannot set other community options such as This issue is being investigated at this time. |
RN-943 (CM-20639) | The neighbor table and EVPN routes are not updated on receiving GARP from an IP address that moved to a new MAC address | After moving an IP address to a new host, the neighbor table and EVPN routes do not update properly after receiving a GARP from the new MAC address to which the previously-active IP address has been moved. This issue is being investigated at this time. |
RN-947 (CM-20992) | RS FEC configuration cleared and not re-installed on switchd restart, leaving links down | During This issue is being investigated at this time. |
RN-948 (CM-17494) | The default arp_ignore mode does not prevent reachable neighbor entries for hosts not on the connected subnet | In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet. To work around this issue, change the value of |
RN-951 (CM-21048) | NCLU command fails to delete the VRF static route | The NCLU command To work around this issue, delete the VRF static route using This issue is being investigated at this time. |
RN-952 (CM-21090) | NCLU 'net show bridge macs' command improperly displays the 'never' keyword | When you use the This issue is being investigated at this time. |
RN-953 (CM-21082) | Virtual device counters not working as expected | Virtual device counters are not working as expected. The TX counter increments but the RX counter does not. This issue is being investigated at this time. |
RN-954 (CM-21062) | Redundant NCLU commands to configure the DHCP relay exits with return code 1 | When using the NCLU command to add a redundant DHCP relay, the command exits with an error instead of displaying a message that the DHCP relay server configuration already contains the IP address. This issue is being investigated at this time. |
RN-955 (CM-21060) | NCLU 'net show configuration' output is out of order | When you run the This issue is being investigated at this time. |
RN-956 (CM-21055) | On Mellanox switches, the destination MAC of ERSPAN GRE packets is set to all zeros | On Mellanox switches, the destination MAC of ERSPAN GRE packets is set to all zeros; therefore, the packets are dropped by the first transient switch. This issue is being investigated at this time. |
RN-959 (CM-21167) | BGP aggregate created but left inactive in the routing table | If you use BGP to generate an aggregate, the aggregate shows up in the BGP table but is listed in zebra as inactive. This issue is being investigated at this time. |
RN-960 (CM-21154) | Deleting an interface with the NCLU command does not remove the interface in frr.conf | When you use NCLU to delete an interface, the associated configuration is not removed from the This issue is being investigated at this time. |
RN-963 (CM-21362) | Bringing down a bridge member interface sets the interface MTU to 1500 and the bridge MTU to 1500 | When you bring down an interface for a bridge member, the MTU for the interface and the MTU for the bridge are both set to 1500. To work around this issue, run For example:
As an alternative, in the
|
RN-964 (CM-21319) | When upgrading to Cumulus Linux 3.6, static routes in the default VRF are associated with other VRFs | When you upgrade to Cumulus Linux 3.6.x, static routes configured in the This issue is currently being investigated. |
RN-965 (CM-21313, CM-15657) | Errors occur if comma-separated globs exist in the /etc/network/interfaces file | If you edit the
To work around this issue, separate globs with spaces when manually editing the This issue is currently being investigated. |
RN-966 (CM-21297) | TACACS authenticated users in 'netshow' or 'netedit' groups cannot issue 'net' commands after upgrade to Cumulus Linux 3.6 | When upgrading from a previous release to Cumulus Linux 3.6, TACACS-authenticated users mapped to tacacs0 thru tacacs15 users with the netshow or netedit user groups cannot run
This behavior is seen when upgrading with simple authentication only and occurs without a restricted shell for command authorization being enabled. This problem is not present on a binary install of 3.6.0 or 3.6.1 and only happens when upgrading from previous releases. To work around this issue, edit the
After making this change, restart |
RN-969 (CM-21278) | NCLU 'net show lldp' output has PortDescr as Remote Port | When you run the To work around this issue, run the This issue is currently being investigated. |
RN-970 (CM-21203) | VXLAN and tcam_resource_profile set to acl-heavy, causes the switch to crash | Changing To work around this issue, remove the This issue is currently being investigated. |
RN-971 (CM-20501) | cl-ecmpcalc is not supported on Maverick (Broadcom 5676x) ASICs | The This issue should be fixed in an upcoming release of Cumulus Linux. |
Issues Fixed in Cumulus Linux 3.6.0
The following is a list of issues fixed in Cumulus Linux 3.6.0 from earlier versions of Cumulus Linux.
Release Note ID | Summary | Description |
---|---|---|
RN-406 (CM-9895) | Mellanox SN2700 power off issues | The Mellanox SN2700 or SN2700B switch appears to be unresponsive for at least three minutes after a PDU power cycle is issued, if any of the following occur:
To fix this, update the system CPLD to version CPLD000085. Contact Mellanox support for assistance. |
RN-545 (CM-13800) | OSPFv3 redistribute connected with route-map broken at reboot (or ospf6d start) | This issue only affects OSPFv3 (IPv6). This issue is fixed in Cumulus Linux 3.6.0. |
RN-608 (CM-16145) | Buffer monitoring default port group discards_pg only accepts packet collection type | The default port group This issue is fixed in Cumulus Linux 3.6.0. |
RN-704 (CM-18886, CM-20027) | ifreload causes MTU to drop on bridge SVIs | When you run the This issue is fixed in Cumulus Linux 3.6.0. |
RN-738 (CM-18709) | On Dell S4148T-ON switches with Maverick ASICs, configuring 1G or 100M speeds on 10G fixed copper ports requires a ports.conf workaround | 1G and 100M speeds on SFP ports are not working on the Dell S4148T-ON. To enable a speed lower than 10G on a port on the S4148T platform, you must dedicate an entire port group (four interfaces) to a lower speed setting. Within a port group, you can mix 1G and 100M speeds, if needed. You cannot mix 10G and lower speeds. To work around this issue:
As of 3.5.1, 1G interfaces are supported when using the |
RN-743 (CM-18612) | Routes learned through BGP unnumbered become unusable | In certain scenarios, the routes learned through BGP unnumbered become unusable. The BGP neighbor relationships remain but the routes cannot be forwarded due to a failure in layer 2 and layer 3 next hop/MAC address resolution. To work around this issue, restart FRR. This issue is fixed in Cumulus Linux 3.6.0. |
RN-759 (CM-18401) | The output for the NCLU net show config command is incorrect | The output for the NCLU This issue is fixed in Cumulus Linux 3.6.0. |
RN-766 (CM-19006) | On the Broadcom Trident II+ and Maverick platform, in an external VXLAN routing environment, the switch does not rewrite MAC addresses and TTL, so packets are dropped by the next hop | On the Broadcom Trident II+ and Maverick based switch, in an external VXLAN routing environment, when a lookup is done on the external-facing switch (exit/border leaf) after VXLAN decapsulation, the switch does not rewrite the MAC addresses and TTL; for through traffic, packets are dropped by the next hop instead of correctly routing from a VXLAN overlay network into a non-VXLAN external network (for example, to the Internet). This issue affects all traffic from VXLAN overlay hosts that need to be routed after VXLAN decapsulation on an exit/border leaf, including:
This issue should be fixed in the Trident 3 ASIC. To work around this issue, modify the external-facing interface for each VLAN sub-interface by creating a temporary VNI and associating it with the existing VLAN ID. For example, if the expected interface configuration is:
Modify the configuration as follows:
|
RN-778 (CM-19203) | On Dell 4148F-ON and 4128F-ON switches with Maverick ASICs, configuring 1G or 100M speeds requires a ports.conf workaround | 1G and 100M speeds on SFP ports do not work automatically on Dell S4148F-ON and S4128F-ON switches. To enable a speed lower than 10G on a port on the S4148F and S4128F platforms, you must dedicate an entire port group (four interfaces) to a lower speed setting. Within a port group, you can mix 1G and 100M speeds, if needed. You cannot mix 10G and lower speeds. This issue is fixed in Cumulus Linux 3.6.0. |
RN-785 (CM-19422) | NCLU 'net show interface detail' command does not display detailed output | The To view the additional information typically presented, use alternative commands. For example, to view the module information and statistics, use This issue is fixed in Cumulus Linux 3.6.0. |
RN-787 (CM-19418) | NCLU 'net add hostname' creates an inconsistency between /etc/hostname and /etc/hosts files | Running the To work around this issue, manually set the hostname in both the This issue is fixed in Cumulus Linux 3.6.0. |
RN-793 (CM-19321) | FRR does not detect the bandwidth for 100G interfaces correctly | FRR correctly detects the bandwidth for both 10G interfaces and 40G interfaces. However, it does not do so for 100G interfaces. Setting link speed manually does not fix this issue. To work around this issue, restart the FRR service:
This issue is fixed in Cumulus Linux 3.6.0. |
RN-801 (CM-19195) | In VXLAN routing, border leafs in MLAG use anycast IP address after FRR restart | For type-5 routes, when an MLAG pair is used as border leaf nodes, the MLAG primary and secondary nodes use their respective loopback IP addresses as the originator IP address to start, but switch to using the MLAG anycast IP address after an FRR restart. This issue is fixed in Cumulus Linux 3.6.0. |
RN-803 (CM-19456) | EVPN and IPv4 routes change origin after redistribution | EVPN routes are re-injected into EVPN as type-5 routes when a type-5 advertisement is enabled. This issue occurs when advertising different subnets from different VTEPs into a type-5 EVPN symmetric mode environment. This issue is fixed in Cumulus Linux 3.6.0. |
RN-806 (CM-19241) | FRR removes all static routes when the service is stopped, including those created by ifupdown2 | Whenever FRR is restarted, it deletes all routes in the kernel with a protocol type of BGP, ISIS, OSPF, and static. When you upgrade FRR and the service is stopped, the static routes defined in the To work around this issue, configure static routes in the
For example:
This issue is fixed in Cumulus Linux 3.6.0. |
RN-807 (CM-17159) | NCLU 'net show interface <bond>' command shows interface counters that are not populated | The output of the NCLU This issue is fixed in Cumulus Linux 3.6.0. |
RN-809 (CM-19120) | The 'netshow lldp' command displays an error | When running the
However, the NCLU This issue is fixed in Cumulus Linux 3.6.0. |
RN-815 (CM-19630) | Bridge MAC address clashing when eth0 is part of the same broadcast domain | Cumulus Linux uses the eth0 MAC address as the MAC address for bridges. If eth0 is part of the same broadcast domain, you experience outages when upgrading. To work around this issue, manually change the bridge MAC address in the This issue is fixed in Cumulus Linux 3.6.0. |
RN-820 (CM-19908) | RADIUS and TACACS Plus should use pam_syslog not openlog/syslog/closelog | The pam_syslog() interface is now being used to send messages to the system logger, which changes the message format. For example, with an incorrect password, the old message format for TACACS Plus is:
The new message format for TACACS Plus is:
This issue is fixed in Cumulus Linux 3.6.0. |
RN-821 (CM-19898) | The 'net show interface' command output missing information | The This issue is fixed in Cumulus Linux 3.6.0. |
RN-824 (CM-19667) | The show ipv6 route ospf command results in an unknown route type | When you run the
This issue is fixed in Cumulus Linux 3.6.0. |
RN-826 (CM-16865) | The compute unique hash seed default value is the same for each switch | The algorithm that calculates hashing is the same on every switch instead of being unique. This issue is fixed in Cumulus Linux 3.6.0. |
RN-828 (CM-19748) | Security: Debian Security Advisory DSA-4110-1 for exim4 issue CVE-2018-6789 | The following CVE was announced in Debian Security Advisory DSA-4110-1, and affects the exim4 package. While this package is no longer in the Cumulus Linux installation image, it is still in the repo3 repository. Cumulus Linux is built on Debian Jessie. This issue is fixed in Cumulus Linux 3.6.0. ------------------------------------------------------------------------- |
RN-829 (CM-19660) | Security: Debian Security Advisory DSA-4052-1 for Bazaar issue CVE-2017-14176 | The following CVE was announced in Debian Security Advisory DSA-4052-1, and affects the Bazaar version control system. This issue is fixed in Cumulus Linux 3.6.0. ------------------------------------------------------------------------- Adam Collard discovered that Bazaar, an easy to use distributed version control system, did not correctly handle maliciously constructed bzr+ssh URLs, allowing a remote attackers to run an arbitrary shell command. For the oldstable distribution (jessie), this problem has been fixed in version 2.6.0+bzr6595-6+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 2.7.0+bzr6619-7+deb9u1. |
RN-830 (CM-19595) | Security: Debian Security Advisory DSA-4098-1 for curl issues CVE-2018-1000005 CVE-2018-1000007 | The following CVEs were announced in Debian Security Advisory DSA-4098-1, and affect the curl package. This issue is fixed in Cumulus Linux 3.6.0. ------------------------------------------------------------------------- CVE-2018-1000005 CVE-2018-1000007 For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u9. |
RN-831 (CM-19507) | Security: Debian Security Advisory DSA-4091-1 for mysql issues CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668 | The following CVEs were announced in Debian Security Advisory DSA-4091-1, and affect all mysql packages, including mysql-* and libmysql-*. This issue is fixed in Cumulus Linux 3.6.0. ------------------------------------------------------------------------- Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.59, which includes additional changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-59.html For the oldstable distribution (jessie), these problems have been fixed in version 5.5.59-0+deb8u1. |
RN-832 (CM-19458) | Security: Debian Security Advisory DSA-4089-1 for bind9 issue CVE-2017-3145 | The following CVE was announced in Debian Security Advisory DSA-4089-1, and affects the bind9 package. This issue is fixed in Cumulus Linux 3.6.0. ------------------------------------------------------------------------- CVE ID : CVE-2017-3145 For the oldstable distribution (jessie), this problem has been fixed in version 1:9.9.5.dfsg-9+deb8u15. For the stable distribution (stretch), this problem has been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u4. We recommend that you upgrade your bind9 packages. |
RN-833 (CM-19446) | Security: Debian Security Advisory DSA-4086 for libxml2 issue CVE-2017-15412 | The following CVE was announced in Debian Security Advisory DSA-4086-1, and affects the libxml2 package. This issue is fixed in Cumulus Linux 3.6.0. -------------------------------------------------------------------------- Package : libxml2 Nick Wellnhofer discovered that certain function calls inside XPath For the oldstable distribution (jessie), this problem has been fixed |
RN-834 (CM-19385) | Security: Debian Security Advisories DSA-4082 for kernel issues CVE-2017-8824 CVE-2017-15868 CVE-2017-16538 CVE-2017-16939 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 and more | The following CVEs were announced in Debian Security Advisory DSA-4086-1, and affect the Linux kernel. This issue is fixed in Cumulus Linux 3.6.0. -------------------------------------------------------------------------- Package : linux Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:
Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). Mohamed Ghannam reported (through Beyond Security's SecuriTeam Secure Disclosure program) that the IPsec (xfrm) implementation did not correctly handle some failure cases when dumping policy information through netlink. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. Kevin Cernekee discovered that the netfilter subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace, not just the root namespace, to enable and disable connection tracking helpers. This could lead to denial of service, violation of network security policy, or have other impact. Kevin Cernekee discovered that the netlink subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace to monitor netlink traffic in all net namespaces, not just those owned by that user namespace. This could lead to exposure of sensitive information. Kevin Cernekee discovered that the xt_osf module allowed users with the CAP_NET_ADMIN capability in any user namespace to modify the global OS fingerprint list. Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash). Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash). It was discovered that the HMAC implementation could be used with an underlying hash algorithm that requires a key, which was not intended. A local user could use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. Eric Biggers discovered that the KEYS subsystem lacked a check for write permission when adding keys to a process's default keyring. A local user could use this to cause a denial of service or to obtain sensitive information. Andrew Honig reported that the KVM implementation for Intel processors allowed direct access to host I/O port 0x80, which is not generally safe. On some systems this allows a guest VM to cause a denial of service (crash) of the host. Ben Seri reported that the Bluetooth subsystem did not correctly handle short EFS information elements in L2CAP messages. An attacker able to communicate over Bluetooth could use this to obtain sensitive information from the kernel. For the oldstable distribution (jessie), these problems have been fixed in version 3.16.51-3+deb8u1. |
RN-836 (CM-19353) | NCLU 'net del' and 'net add bridge' commands do not work in the same 'net commit' | If a bridge is previously configured and you run the This issue is fixed in Cumulus Linux 3.6.0. |
RN-837 (CM-19919) | PCIe bus error (Malformed TLP) on the Dell Z9100 switch | Certain Dell Z9100 switches running Cumulus Linux have a different string coded in the Manufacturer field of the SMBIOS/DMI information. This discrepancy sometimes causes a problem with timing during the boot sequence that leaves To work around this issue, perform either a single cold reboot (power cycle the switch) or two warm reboots (run the reboot command twice). This issue is fixed in Cumulus Linux 3.6.0. |
RN-861 (CM-20694) | NCLU 'net show lldp' command traceback on 'descr' | When you run the To work around the issue, make sure that the LLDP peer device is configured to send the LLDP description in the TLV. This issue is fixed in Cumulus Linux 3.6.0. |
RN-862 (CM-20416) | The error message 'snmpd[xxx]: truncating integer value > 32 bits' repeating in syslog | When the switch or snmpd is running for more than 497 days, the following error message repeats in syslog:
This issue is resolved by limiting the number of log messages to 10 occurrences. |
RN-863 (CM-20372) | The IPv6 default gateway GUA is not reachable through ICMP in a VXLAN configuration | When a server tries to reach the IPv6 default gateway global unique address (GUA) over a VXLAN enabled fabric, the communication fails if the gateway resides on a platform with the Broadcom Trident II + ASIC, as incorrect hardware programming fails to forward the packet to the control plane for termination. This issue is fixed in Cumulus Linux 3.6.0. |
RN-864 (CM-20272) | Security: Debian Security Advisory DSA-4154-1 for net-snmp issue | The following CVE was announced in Debian Security Advisory DSA-4154-1, and affects the net-snmp package. This issue is fixed in Cumulus Linux 3.6.0. Debian Security Advisory DSA-4154-1 security@debian.org ------------------------------------------------------------------------- Package : net-snmp A heap corruption vulnerability was discovered in net-snmp, a suite of For the oldstable distribution (jessie), these problems have been fixed For the stable distribution (stretch), these problems have been fixed We recommend that you upgrade your net-snmp packages. For the detailed security status of net-snmp please refer to its Further information about Debian Security Advisories, how to apply |
RN-865 (CM-20344) | On the Broadcom Trident II + ASIC, traceroute to an external host skips the anycast gateway address | When using traceroute from a server over a routed VXLAN overlay, the overlay router is not correctly accounted for in the path list. You might see the overlay router as an unknown hop or a repetition of the preceding hop. This applies for both IPv4 and IPv6. This issue is fixed in Cumulus Linux 3.6.0. |
RN-866 (CM-20182) | On Mellanox switches, ACL rules that match a TCP port do not work for encapsulated VXLAN packets | For an incoming VXLAN encapsulated packet, the inner packet does not match on the TCP port successfully after decapsulation. This issue is fixed in Cumulus Linux 3.6.0. |
RN-867 (CM-20126) | Implement forwarding table profiles for Maverick | Maverick switches should have layer 2 and layer 3 table sizes when using This issue is fixed in Cumulus Linux 3.6.0. |
RN-868 (CM-20069) | Link-down does not work on SVIs configured in a VRF | The This issue is fixed in Cumulus Linux 3.6.0. |
RN-869 (CM-20002) | Kernel route uses the bridge VRR interface instead of the bridge interface | In the kernel routing table, the bridge VRR interface is used instead of the bridge interface. This causes ARP packets to be sourced from the VRR interface instead of the physical interface. This issue is fixed in Cumulus Linux 3.6.0. |
RN-870 (CM-19959) | Internal loopback ports on Tomahawk switches set to 40G cause traffic to throttle | The internal loopback ports on a Tomahawk switch should be set to the highest speed of which the port is capable. However, due to a software defect, the ports can be set to 40G, which throttles traffic. When configuring Tomahawk internal loopback ports, make sure the port is not configured to a speed other than 100G. If it is, first remove the configuration on that port, reboot the system, then reconfigure the loopback port in the This issue is fixed in Cumulus Linux 3.6.0. |
RN-871 (CM-19906) | Security: Debian Security Advisory DSA-4120-1 for Linux kernel issues CVE-2018-5750 | The following CVEs were announced in Debian Security Advisory DSA-4120-1, and affect the Linux kernel. The issue is fixed in Cumulus Linux 3.6.0. ------------------------------------------------------------------------- Debian Security Advisory DSA-4120-1 security@debian.org It was found that the acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call. See https://patchwork.kernel.org/patch/10174835/ for further details. |
RN-872 (CM-19753) | On Mellanox Spectum platforms configured with BGP unnumbered and multipath, cl-ecmpcalc fails on two links | On Mellanox Spectrum platforms,
This issue is fixed in Cumulus Linux 3.6.0. |
RN-873 (CM-18076) | Platform-aware validation checker for ports.conf | Cumulus Linux provides a new The following example shows a
The above snippet in the
This issue is fixed in Cumulus Linux 3.6.0. |
RN-874 (CM-16293) | NCLU 'net show interface' output should be fewer than 80 characters | The output for the This issue is fixed in Cumulus Linux 3.6.0. The |
RN-905 (CM-19649) | LLDP-MED network policy not working after port flaps | LLDP-MED includes voice VLAN and DSCP values. When you configure LLDP, the service works when the port is first brought up, but the switch stops sending LLDP-MED TLVs after a link state transition. This issue is fixed in Cumulus Linux 3.6.0. |
RN-909 (CM-20543) | NCLU 'net del time ntp server *' command crashes netd | Removing all NTP servers from the configuration with the This issue is fixed in Cumulus Linux 3.6.0. |
RN-910 (CM-20483) | On the Dell 4148F-ON switch, portwd tries to make 10G ports into 40G | On the Dell 4148F-ON switch, ports swp53 and swp54 do not link up with installed 10G DACs. This issue is fixed in Cumulus Linux 3.6.0. |
RN-911 (CM-20411) | OSPF is up after BFD fails in a point-to-point network | When a BFD session fails in a point-to-point network, the OSPF adjacency with the neighbor is not brought down. This issue is fixed in Cumulus Linux 3.6.0. |
RN-912 (CM-19801) | QinQ not working without a restart in traditional mode bridge | When changing the inner and outer VLANs of a double-tagged bridge interface using This issue is fixed in Cumulus Linux 3.6.0. |
RN-913 (CM-19728) | NCLU 'ip forward' command has incorrect syntax and does not show in configuration | When you disable IP forwarding on an interface with the NCLU This issue is fixed in Cumulus Linux 3.6.0. |
RN-914 (CM-19727) | VRF not generated when used in BGP configuration | When you run the NCLU This issue is fixed in Cumulus Linux 3.6.0. |
RN-915 (CM-19689) | The default syslog level for DHCP Relay results in too many messages | The default syslog severity level for DHCP Relay is 6, which causes too many syslog messages. This issue is fixed in Cumulus Linux 3.6.0. |
RN-916 (CM-19666) | netd crashes when you add unicode characters in SNMP commands | Unicode characters in SNMP commands cause This issue is fixed in Cumulus Linux 3.6.0. |
RN-917 (CM-19629) | FRR package code dependency causes FRR reload failure | Reloading a running FRR instance without a restart fails and generates errors in the log due to code failing dependencies. This issue is fixed in Cumulus Linux 3.6.0. |
RN-918 (CM-19615) | On the Tomahawk ASIC, the nexthop of a route in a VRF points to an incorrect interface | The nexthop of a route common to two VRFs points to an incorrect interface. This issue is fixed in Cumulus Linux 3.6.0. |
RN-919 (CM-19452) | NCLU 'net show lldp' command causes netd to crash | The This issue is fixed in Cumulus Linux 3.6.0. |
RN-920 (CM-19374) | sFlow sampling causes RX-DRP in kernel | sFlow sampling is causing the RX-DRP counter in the This issue is fixed in Cumulus Linux 3.6.0. |
RN-921 (CM-19370) | Link Local IPv6 address is not associated with a VRF | Link Local IPv6 addresses cannot be used to source SSH traffic inside a VRF such as the management VRF. This issue is fixed in Cumulus Linux 3.6.0. |
RN-922 (CM-20237) | Security: Debian Security Advisory DSA-4151-1 for librelp issue CVE-2018-1000140 | The following CVEs were announced in Debian Security Advisory DSA-4151-1, and affect the librelp package. This issue is fixed in Cumulus Linux 3.6.0 Debian Security Advisory DSA-4151-1 security@debian.org ------------------------------------------------------------------------- Package : librelp Bas van Schaik and Kevin Backhouse discovered a stack-based buffer Details can be found in the upstream advisory: For the oldstable distribution (jessie), this problem has been fixed For the stable distribution (stretch), this problem has been fixed in We recommend that you upgrade your librelp packages. For the detailed security status of librelp, please refer to its security |
RN-923 (CM-20093) | Security: Debian Security Advisory DSA-4140-1 for libvorbis issue CVE-2018-5146 | The following CVEs were announced in Debian Security Advisory DSA-4140-1, and affect the libvorbis package. This issue is fixed in Cumulus Linux 3.6.0 -------------------------------------------------------------------------- ------------------------------------------------------------------------- Package : libvorbis Richard Zhu discovered that an out-of-bounds memory write in the For the oldstable distribution (jessie), this problem has been fixed For the stable distribution (stretch), this problem has been fixed in |
RN-924 (CM-20066) | Security: Debian Security Advisory DSA-4136-1 for curl issues CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 | The following CVEs were announced in Debian Security Advisory DSA-4136-1, and affect the curl package. This issue is fixed in Cumulus Linux 3.6.0. Debian Security Advisory DSA-4136-1 security@debian.org ------------------------------------------------------------------------- Package : curl Multiple vulnerabilities were discovered in cURL, an URL transfer library. Duy Phan Thanh discovered that curl could be fooled into writing a CVE-2018-1000121 OSS-fuzz, assisted by Max Dymond, discovered that curl could be For the oldstable distribution (jessie), these problems have been fixed For the stable distribution (stretch), these problems have been fixed in We recommend that you upgrade your curl packages. For the detailed security status of curl, please refer to |
RN-925 (CM-20030) | Security: Debian Security Advisory DSA-4100-1 for tiff (libtiff) issues CVE-2017-9935 CVE-2017-11335 CVE-2017-12944 CVE-2017-13726 CVE-2017-13727 CVE-2017-18013 | The following CVEs were announced in Debian Security Advisory DSA-4100-1, and affect the tiff package. This issue is fixed in Cumulus Linux 3.6.0. Debian Security Advisory DSA-4100-1 security@debian.org ------------------------------------------------------------------------- Package : tiff Multiple vulnerabilities have been discovered in the libtiff library and For the oldstable distribution (jessie), these problems have been fixed For the stable distribution (stretch), these problems have been fixed in For the detailed security status of tiff, please refer to |
RN-926 (CM-19996) | Security: Debian Security Advisory DSA-4133-1 for isc-dhcp issues CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 | The following CVEs were announced in Debian Security Advisory DSA-4133-1, and affect the isc-dhcp package. This issue is fixed in Cumulus Linux 3.6.0. Debian Security Advisory DSA-4133-1 security@debian.org ------------------------------------------------------------------------- Package : isc-dhcp Several vulnerabilities have been discovered in the ISC DHCP client, It was discovered that the DHCP server does not properly clean up Felix Wilhelm of the Google Security Team discovered that the DHCP Felix Wilhelm of the Google Security Team discovered that the DHCP For the oldstable distribution (jessie), these problems have been fixed For the stable distribution (stretch), these problems have been fixed in We recommend that you upgrade your isc-dhcp packages. For the detailed security status of isc-dhcp, please refer to its |
RN-927 (CM-19961) | Security: Debian Security Advisory DSA-4132 for libvpx issue CVE-2017-13194 | The following CVEs were announced in Debian Security Advisory DSA-4132-1, and affect the libvpx package. This issue is fixed in Cumulus Linux 3.6.0. ------------------------------------------------------------------------- ------------------------------------------------------------------------- Package : libvpx It was discovered that incorrect validation of frame widths in the libvpx For the oldstable distribution (jessie), this problem has been fixed For the stable distribution (stretch), this problem has been fixed in We recommend that you upgrade your libvpx packages. For the detailed security status of libvpx please refer to |
RN-928 (CM-19253) | Security: Debian Security Advisory DSA-4068-1 for rsync issues CVE-2017-16548 CVE-2017-17433 CVE-2017-17434 | The following CVEs were announced in Debian Security Advisory DSA-4068-1, and affect the rsync package. This issue is fixed in Cumulus Linux 3.6.0. Debian Security Advisory DSA-4068-1 security@debian.org ------------------------------------------------------------------------- Package : rsync Several vulnerabilities were discovered in rsync, a fast, versatile, For the oldstable distribution (jessie), these problems have been fixed For the stable distribution (stretch), these problems have been fixed in |
RN-929 (CM-19303) | Security: Debian Security Advisory DSA-4073-1 for linux kernel issues CVE-2017-8824 CVE-2017-16995 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17712 CVE-2017-17741 CVE-2017-17805 CVE-2017(17806,17807,1000407,1000410) | The following CVEs were announced in Debian Security Advisory DSA-4073-1, and affect the linux package. This issue is fixed in Cumulus Linux 3.6.0. Debian Security Advisory DSA-4073-1 security@debian.org ------------------------------------------------------------------------- Package : linux Several vulnerabilities have been discovered in the Linux kernel that Mohamed Ghannam discovered that the DCCP implementation did not Jann Horn discovered that the Extended BPF verifier did not Kevin Cernekee discovered that the netfilter subsystem allowed Kevin Cernekee discovered that the netlink subsystem allowed Kevin Cernekee discovered that the xt_osf module allowed users Andrey Konovalov reported that that USB core did not correctly Mohamed Ghannam discovered a race condition in the IPv4 raw socket Dmitry Vyukov reported that the KVM implementation for x86 would It was discovered that some implementations of the Salsa20 block It was discovered that the HMAC implementation could be used with Eric Biggers discovered that the KEYS subsystem lacked a check for Andrew Honig reported that the KVM implementation for Intel Ben Seri reported that the Bluetooth subsystem did not correctly Debian disables unprivileged user namespaces by default, but if they |
RN-930 (CM-19367) | Adding MTU to bonded interfaces creates an incorrect interface | When adding the MTU to bonded interfaces, NCLU creates an incorrect interface in the This issue is fixed in Cumulus Linux 3.6.0. |
RN-931 (CM-19675) | Static route remains inactive following link flap | When a static route is removed from the zebra routing table because an interface is transitioning to down state, the static route remains inactive when the interface comes back up if an alternate route still exists. This issue is fixed in Cumulus Linux 3.6.0. |
RN-934 (CM-19605) | The kernel reports incorrect link state for 10G BASE-LR on Broadcom switches | On Broadcom switches, the link status for the 10G BASE-LR and 10G BASE-SR might incorrectly display as up after you disconnect the cable. This issue is fixed in Cumulus Linux 3.6.0. |
Known Issues in Cumulus Linux 3.6.0
The following issues are new to Cumulus Linux and affect the current release.